Show TOC

LOGIN_MODE OptionLocate this document in the navigation structure

Controls the use of standard, integrated, Kerberos, LDAP, and PAM logins for the database.

Allowed Values
  • Standard – the default setting, which does not permit integrated logins. An error occurs if an integrated login connection is attempted.
  • Mixed – allows both integrated logins and standard logins.
  • Integrated – all logins to the database must be made using integrated logins.
  • Kerberos – all logins to the database must be made using Kerberos logins.
  • LDAPUA – all logins to the database must be made using LDAP logins.
  • PAMUA – all logins to the database must be made using PAM logins.
Note Mixed is equivalent to "Standard,Integrated".
Default

Standard

Scope

Option can be set at the database (PUBLIC) level only.

Requires the SET ANY SECURITY OPTION system privilege to set this option. Takes effect immediately.

Remarks

Values are case-insensitive. Specify values in a comma-separated list without white space.

Caution
  • Restricting the LOGIN_MODE to a single mode in a mixed environment (for example, integrated only or LDAPUA only) restricts connections to only those users who have been granted the corresponding login mapping. Attempting to connect using other methods generates an error. The only exceptions to this are users with full administrative rights (SYS_AUTH_DBA_ROLE or SYS_AUTH_SSO_ROLE).
  • Restricting the LOGIN_MODE to LDAPUA only may result in a configuration where no users can connect to the server if no user or login policy exists that permits LDAPUA. Use the command line switch -al <user-id-list> with the start_iq utility to recover from this situation.
  • If a database file is not secured and can be copied by unauthorized users, set the LOGIN_MODE as a TEMPORARY public option for integrated, Kerberos, or PAM user authentication. This ensures that, by default, integrated, Kerberos, and PAM logins are not supported if the file is copied.